Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1943685 (CVE-2021-3500)
Summary: | CVE-2021-3500 djvulibre: Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, caswilli, fcanogab, kaycoth, manisandro, mkaplan, mkasik, security-response-team, tuxmealux+redhatbz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-04 14:57:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1943411, 1958164, 1958165 | ||
Bug Blocks: | 1949947 |
Description
Pedro Sampaio
2021-03-26 19:57:56 UTC
Is it possible to get more information/details on this issue? The referenced further bug seems restricted so far. Is there a fix for this issue upstream? Regards, Salvatore I agree with Salvatore, it would be nice if you can share technical details about this issue. Thanks, Gianluca Hi, I've just pushed an update which among others fixes this issue as well. The issue here is that djvulibre tries to open a file inside a djvu file while already opening it and this goes on and on resulting in stack overflow. I've broken this cycle by remembering which file it is opening. I've stored the name in DjVuPortcaster class since it is common to these actions. I'm not aware of an upstream fix for this. Regards Created djvulibre tracking bugs for this issue: Affects: epel-7 [bug 1943411] Created djvulibre tracking bugs for this issue: Affects: epel-7 [bug 1958164] Created mingw-djvulibre tracking bugs for this issue: Affects: fedora-all [bug 1958165] Acknowledgments: Name: 1vanChen (NSFOCUS Security Team) (In reply to Marek Kašík from comment #4) > Hi, > > I've just pushed an update which among others fixes this issue as well. > > The issue here is that djvulibre tries to open a file inside a djvu file > while already opening it and this goes on and on resulting in stack overflow. > I've broken this cycle by remembering which file it is opening. I've stored > the name in DjVuPortcaster class since it is common to these actions. > > I'm not aware of an upstream fix for this. > > Regards Hi Marek, I see similar bugs are public: https://bugzilla.redhat.com/show_bug.cgi?id=1943408 https://bugzilla.redhat.com/show_bug.cgi?id=1943409 https://bugzilla.redhat.com/show_bug.cgi?id=1943410 https://bugzilla.redhat.com/show_bug.cgi?id=1943424 Since 1943411 is no longer embargoed, I'm wondering if you can open it to everybody? Thanks, Gianluca Hi Gianluca, I am probably not the person who should do this. I've forwarded your question to Michael. Regards (In reply to Gianluca Gabrielli from comment #8) > (In reply to Marek Kašík from comment #4) > > Hi, > > > > I've just pushed an update which among others fixes this issue as well. > > > > The issue here is that djvulibre tries to open a file inside a djvu file > > while already opening it and this goes on and on resulting in stack overflow. > > I've broken this cycle by remembering which file it is opening. I've stored > > the name in DjVuPortcaster class since it is common to these actions. > > > > I'm not aware of an upstream fix for this. > > > > Regards > > Hi Marek, > > I see similar bugs are public: > > https://bugzilla.redhat.com/show_bug.cgi?id=1943408 > https://bugzilla.redhat.com/show_bug.cgi?id=1943409 > https://bugzilla.redhat.com/show_bug.cgi?id=1943410 > https://bugzilla.redhat.com/show_bug.cgi?id=1943424 > > Since 1943411 is no longer embargoed, I'm wondering if you can open it to > everybody? > > Thanks, > Gianluca Hey Gianluca, It's Done. |